[openssl-dev] [openssl.org #4574] Crash introduced in openssl 1.0.2 for non-blocking calls to SSL_write that change the write size

[Susan Hinrichs via RT]

>From the Apache Traffic Server community, we have observed a new crash moving from openssl 1.0.1 to openssl 1.0.2.  The issue from our perspective is discussed in https://issues.apache.org/jira/browse/TS-4424.  The last couple comments are relevant to openssl.
Specifically, we are using a non-blocking socket.  When we us the dynamic record feature, we might call SSL_write() after a NEEDS_WRITE failure with a different write size.  As defined, this should cause an error.  Evidently this failure happened rarely enough that no one noticed it.  We will fix this error of usage within ATS.

But with openssl 1.0.2 instead of getting an error failure, we get an core dump.  Looking at openssl 1.0.2h in ssl/s3_pkt.c and comparing that to the openssl 1.0.1m version.  We see in ssl3_write_bytes() on line 686, the value of tot can get incremented after the change in write size had been checked for on line 670.  So when we call do_ssl3_write on line 830, the tot offset is way off the end of the buffer either causing an immediate ASAN error or an eventual memory error.
It appears that in open 1.0.1 the ssl3_write_pending call was in do_ssl3_write() and so did not impact the buffer offset.




-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4574
Please log in as guest with password guest if prompted